Environment model
Atlas uses two Terraform roots with the same structure and mostly the same module graph:
terraform/stagingterraform/prod
The design goal is parity by structure and divergence by inputs.
Root comparison
| Concern | staging root | prod root |
|---|---|---|
| Folder | terraform/staging | terraform/prod |
| Current naming defaults | project_name = "poc-atlas", environment = "dev" | project_name = "atlas", environment = "prod" |
| State key | staging/terraform.tfstate | prod/terraform.tfstate |
| MSK placement | msk_subnet_type = "public" in example values | msk_subnet_type = "private" in committed prod values |
| MSK connectivity | msk_enable_multi_vpc_connectivity = false | msk_enable_multi_vpc_connectivity = true |
| RDS placement | public subnet group, publicly accessible | private subnet group, not publicly accessible |
| RDS durability | single-AZ, easy teardown defaults | Multi-AZ and deletion protection enabled |
| Log retention | 1 day defaults in example values | 7 day values in committed prod vars |
What stays aligned
- Both roots use the same shared modules under
terraform/modules. - Both roots provision the same functional areas: VPC, ALB, ECS services, MSK, optional MSK Connect, RDS, secrets, and monitoring.
- Both roots expect the same operator sequence: bootstrap backend, initialize the root, create ECR repositories, push images, apply infrastructure, then populate secrets.
What changes by environment
- Naming prefixes and hostnames
- ACM certificate IDs
- Network shape and allowed CIDRs
- MSK broker class and connectivity mode
- RDS placement, durability, and access
- Log retention and operational hardening
note
The staging directory name reflects the environment role, while the default input values inside that root still preserve the older poc-atlas-dev naming convention. Treat that as current reality, not as an inconsistency to paper over in docs.